September 8, 2017
Our reaction to the Equifax breach was similar to what we imagine many people went through. First, we wanted to know if we were affected. Second, what about our spouse and other immediate family members? Third, better keep an eye on the old credit report or initiate a credit freeze. Since Forrester offers credit monitoring as an employee benefit, and both authors enrolled, one of those is covered.
And that all makes sense – Equifax is known to most consumers as a credit reporting agency. But, that isn’t all that Equifax does.
Equifax For Personal Use
Let’s look at the available products from Equifax targeted for consumers. There are three major product lines that are, not surprisingly, focused on Credit Monitoring and Identity Theft.
Equifax For Business Use
Welcome to an entirely different kind of company. Equifax lists 57 different offerings for businesses, starting with the letter A and ending with the letter V. Everything from Auto Insights for Car Dealers, to Visualization tools is in there.
Why Does Equifax For Business matter?
Equifax collects information about you. You may not know it does, but it does. Even if you aren’t in the population of breached users, they know you. You don’t know what they know about you, and you have no way to find out in normal circumstances. This breach might actually – in a strange twist – provide you insight into what Equifax knows about you, and what it does with that information. Here’s why:
- Equifax is a large-scale data aggregator, data broker, and analytics firm. They collect, analyze, and derive insights from data – its own data, and data it collects and purchases from other data aggregators.
- Right now we don’t know exactly what information was breached. Information that Equifax aggregated together could also be included.
- We need more transparency before we understand the full extent of the breach. That will tell us how far beyond basic personal data it might go.
Don’t Assume Cybercrime
An automatic assumption is that Equifax was breached by cybercriminals, looking to gain access to information to steal identities and commit credit card fraud. That’s an excellent initial thought process given what we’ve experienced in the past. Here are a couple of “what if” scenarios:
- The whale. The information is used to impersonate executives of firms to have employees wire large sums of money to fraudulent accounts internationally. Having so many details about a person makes impersonating them easier. Suddenly, personal credit fraud can go upscale to financial fraud. These attacks have already happened multiple times over the last few years.
- The spy. The information allows someone to steal an identity. Identity is used when someone registers to vote. There is confirmed evidence of foreign entities attempting to influence the US election in 2016. Using this information – along with other hacks at different spots in our election process – a nation-state could attempt to disrupt the 2018 or 2020 election. For an example of a similar, but different, situation that illustrates this could occur, consider the OPM breach that led to decreased intelligence collection capabilities of US intelligence agencies after the breach.
Playing a game of “what if” has value – it makes sure we don’t treat our assumptions as certainties.
What Should S&R Pros Do?
There are two areas to evaluate – what might happen personally, and what might happen professionally.
To protect yourself:
- Assume you are compromised. The breadth and depth of this breach, along with all the other breaches that have occurred, makes it safe to assume that your personal information is in the hands of people who will use it for nefarious purposes. Act accordingly.
- Use credit monitoring – but not what Equifax offered. Go to a competitor of theirs, sign up through your employer if it’s open enrollment for benefits, through your credit card company, or even an alumni offering.
- Think about establishing a credit freeze. But make sure to do it through all three credit bureaus, and remember that freezing might have costs depending on your state.
- If your passwords or security questions use ANY personal information (addresses, schools, old car makes and models, etc.) change them right away. It’s possible someone that wants to pretend to be you to steal things and knows quite a lot about you now.
- We need to demand control over our information. The 21st century needs a data bill of rights. GDPR is a decent start, but it doesn’t go far enough. Individuals need transparency about data collection and use. More importantly, we need the right to say no to companies that want to collect our data if we don’t like the extent of the collection or how it might be used. We should also have the right to say that certain companies can never have our data again, there should be repercussions for violating our trust, and it’s their responsibility to protect our information.
To protect your firm:
Until we know more, we have to think that it’s going to be remarkably easy to impersonate . . . well, anyone. The initial numbers stated that 44% of the US is affected. But 22.8% of the US is under 18 per the census bureau. Therefore 56% of all US adults might be affected by this.
- Lock down your financial transfer processes. Make sure to include separation of duties and multi-factor authentication and authorization before paying anything.
- Remain vigilant against phishing emails. Increase end user training to help users spot them, and explain the significance of social media risks to employees as well.
- Deploy managed detection and response services. Work with providers that perform proactive threat hunting to identify threats as early as possible.
- Invest in security analytics. Analytics will help identify anomalous behavior before signatures will.
- Make web application security cool again. Our surveys indicate that 34% of data breaches were the result of web application attacks. Bake web application testing into your SDLC.
- Review your incident response plan, including your public notification plan. What’s worse than a data breach? Responding to a data breach poorly. Practice via simulations.
- application security
- data security
- endpoint security
- information security
- managed security services providers (MSSPs)
- security & risk
- security operations & program governance